Privacy Policy

Beta Notice: Ground 0 is currently in beta and under active development. This policy may be updated as we continue to improve the platform.

Last updated: February 2026

This privacy policy explains how Ground 0 ("we", "us", "our", or "Ground 0") collects, uses, stores, and protects your personal data when you use our platform at ground0.io (the "Service"). We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection law.

This privacy policy should be reviewed by a qualified legal professional. It is provided as a good-faith effort to comply with GDPR and may require adjustments based on specific legal advice.

1. Data Controller

The data controller responsible for processing your personal data is:

Ground 0
Email: support@ground0.io

2. Data We Collect

We collect and process the following categories of personal data when you use the Service:

2.1 Account Data

  • Full name
  • Email address
  • Billing address (when purchasing credits or subscriptions)
  • Password (stored in hashed form only)

2.2 Technical Data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Session identifiers
  • Referring URL

2.3 Usage Data

  • Chat content (messages you send to and receive from AI models)
  • Generated media (images, videos, music, documents, presentations, and spreadsheets created through the Service)
  • Feature usage patterns and interaction data
  • Credit consumption and transaction history
  • Model and feature preferences

2.4 Voice Data

  • Voice recordings submitted for transcription (processed in real-time and not permanently stored in audio form; only the resulting text transcription is retained as part of your chat content)

2.5 Payment Data

  • Payment information is collected and processed by our Merchant of Record, Lemon Squeezy (Lemon Squeezy LLC). We do not directly store your credit card numbers or banking details. We receive transaction confirmations, subscription status, and billing identifiers from Lemon Squeezy.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR:

3.1 Performance of a Contract — Art. 6(1)(b) GDPR

Processing of your account data, chat content, generated media, credit transactions, and payment data is necessary for the performance of the contract between you and Ground 0 (our Terms of Service). Without this data, we cannot provide the Service.

3.2 Legitimate Interests — Art. 6(1)(f) GDPR

We process technical data (IP address, browser/device information) and usage data for the following legitimate interests:

  • Security and fraud prevention: Protecting the Service and our users from unauthorized access, abuse, and fraudulent activity.
  • Service improvement: Understanding how users interact with the Service to improve functionality, performance, and user experience.
  • Technical operations: Ensuring the stability, availability, and performance of the Service infrastructure.

We have conducted a balancing test and determined that these interests do not override your fundamental rights and freedoms, given the limited nature of the data processed and the safeguards in place.

3.3 Consent — Art. 6(1)(a) GDPR

For optional features that involve additional processing of your data beyond what is necessary for the core Service, we will request your explicit consent before processing. You may withdraw your consent at any time by contacting us at support@ground0.io. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Purpose of Processing

We process your personal data for the following purposes:

  • Service delivery: Providing AI-powered chat, content generation (images, video, music, documents, presentations, spreadsheets), and related features.
  • Account management: Creating and maintaining your user account, authenticating sessions, and managing your preferences.
  • Billing and credit management: Processing subscriptions, credit purchases, tracking credit usage, and maintaining transaction records.
  • Security and fraud prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity on the platform.
  • Service improvement: Analyzing usage patterns to improve features, fix bugs, and enhance the overall user experience.
  • Communication: Sending transactional emails (password resets, account notifications, billing confirmations) and, where you have consented, service-related announcements.
  • Legal compliance: Fulfilling legal obligations, including tax record retention and responding to lawful requests from authorities.

5. Data Processors and Recipients

We share your personal data with the following categories of recipients, each acting as a data processor under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR:

5.1 Hosting and Infrastructure

  • Google Cloud Platform (GCP) — Brussels, Belgium (europe-west1 region). Provides cloud hosting, compute (Cloud Run), database (Cloud SQL), and object storage (Google Cloud Storage) for all Service data. Data remains within the EU.

5.2 AI Model Providers

  • OpenAI, Inc. (San Francisco, USA) — Processes chat content and generates AI responses and images. Data transfers to the USA are governed by Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR.
  • Anthropic, PBC (San Francisco, USA) — Processes chat content and generates AI responses. Data transfers to the USA are governed by Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR.
  • Google AI (EU) — Processes chat content, generates AI responses, images, and video. Processing occurs within the European Union.
  • Black Forest Labs GmbH (Germany) — Generates AI images using FLUX models. Processing occurs within the EU.

5.3 Music Generation

  • Suno API — Generates AI music based on your prompts. Your text prompts are sent to Suno for processing. Please refer to Suno's privacy policy for their data handling practices.

5.4 Payment Processing

  • Lemon Squeezy LLC (USA) — Acts as our Merchant of Record for payment processing, subscription management, tax compliance, and refunds. Lemon Squeezy collects and processes your payment information directly. Data transfers to the USA are governed by Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR.

5.5 Email

  • Nodemailer / SMTP — Used for sending transactional emails (password resets, account notifications, billing confirmations). Only your email address and the message content are transmitted.

6. Data Storage Location

All data is processed and stored in the European Union (Belgium, europe-west1 region) on Google Cloud Platform infrastructure in compliance with GDPR. Your chat content, generated media, account data, and usage data are stored within EU data centers.

Where data is transferred to processors outside the EU — specifically OpenAI (USA), Anthropic (USA), and Lemon Squeezy (USA) — this is done under Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR. We have assessed the data protection laws of the recipient countries and implemented supplementary measures where necessary to ensure an adequate level of protection for your personal data.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law:

  • Account data: Retained for the duration of your account. When you delete your account, your personal data is erased within 30 days, except where retention is required by law.
  • Chat history: Retained until you delete individual conversations or your entire account. You may delete chat history at any time through the Service interface.
  • Generated media: Stored for 18 months from the date of creation, after which files are automatically deleted via a lifecycle policy on our storage infrastructure.
  • Credit and transaction logs: Retained for 7 years in accordance with Polish tax record retention requirements (Abgabenordnung, Section 147 AO).
  • Technical and usage data: Retained for up to 12 months for security and service improvement purposes, then anonymized or deleted.

8. Your Rights Under GDPR

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data. To exercise any of these rights, please contact us at support@ground0.io. We will respond to your request within one month, as required by law.

  • Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access your personal data and receive a copy of it.
  • Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, you withdraw consent, or the data has been unlawfully processed.
  • Right to restriction of processing (Art. 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or object to processing.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Ground 0 is the Polish Data Protection Office (UODO) — see Section 13 below.

9. Cookies

The Service uses only essential session cookies that are strictly necessary for the functioning of the platform. These cookies are used to:

  • Authenticate your session and maintain your login state
  • Ensure security of your account
  • Remember your preferences during a session

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because our cookies are strictly necessary for the provision of the Service, they are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive (2002/58/EC) as implemented in Polish law (Telecommunications Act).

10. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without valid parental consent, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at support@ground0.io.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest (AES-256 encryption for sensitive fields)
  • Database-level Row Level Security (RLS) ensuring users can only access their own data
  • Secure password hashing using industry-standard algorithms
  • Regular security assessments and updates to dependencies
  • Access controls and least-privilege principles for infrastructure and data access
  • Secrets management through Google Cloud Secret Manager (no hardcoded credentials)

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will provide at least 30 days' notice before the changes take effect by posting a notice on the Service or sending you an email notification. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

13. Supervisory Authority

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority. The supervisory authority for Ground 0 is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
Website: uodo.gov.pl

14. Contact

If you have any questions about this privacy policy, your personal data, or wish to exercise any of your rights under the GDPR, please contact us:

Ground 0
Email: support@ground0.io